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4 OES 2 SP3: NSS Auditing Client Logger (VLOG) Utility Reference 


About This Guide 


This reference guide describes the syntax and options for the Novell Storage Services (NSS) Auditing 
Client Logger (VLOG) utility for Novell Open Enterprise Server (OES) 2 Support Pack 3 (SP3) Linux. 
The VLOG utility is used with the NSS Auditing Engine, which is available in OES 2 SP2 Linux and 
later. 


This guide includes the following sections: 


¢ Chapter 1, “Overview of the NSS Auditing Client Logger (VLOG) Utility,” on page 7 
+ Chapter 2, “What’s New for VLOG,” on page 11 

+ Chapter 3, “VLOG Utility Man Page,” on page 15 

+ Appendix A, “Documentation Updates,” on page 35 


Audience 


This guide is intended for system administrators or anyone who is responsible for auditing file 
system events on NSS file systems on OES 2 SP3 Linux servers. 


Knowledge of the NSS file system is assumed. Some background knowledge of the host operating 
system is also assumed. 


Feedback 


We want to hear your comments and suggestions about this manual and the other documentation 
included with this product. Please use the User Comments feature at the bottom of each page of the 
online documentation, or go to Novell Documentation Feedback (http://www.novell.com/ 
documentation/feedback.html) and enter your comments there. 


Documentation Updates 


The VLOG man page, vlog (8), is available on the server. Updates to the man page are delivered with 
any updates to the VLOG utility. 


For the most recent version of the OES 2 SP3: NSS Auditing Client Logger (VLOG) Reference, visit the 
Novell Open Enterprise Server 2 Documentation Web site (http://www.novell.com/documentation/ 
oes2/security.html) under Security. 


Additional Documentation 


Information about the NSS Auditing Engine SDK (Software Development Kit) is available on the NSS 
Auditing SDK Web site (http://developer.novell.com/wiki/index.php/NSS_Auditing_SDK). 
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1.1 


1.1.1 


1.1.2 


Overview of the NSS Auditing Client 
Logger (VLOG) Utility 


The Novell Storage Services (NSS) Auditing Client Logger (VLOG) utility for Novell Open Enterprise 
Server (OES) 2 Support Pack 3 (SP3) Linux is used with the NSS Auditing Engine (/etc/init .d/ 
novell-vigil). The NSS Auditing Engine is installed by default when you install NSS on an OES 2 
SP3 Linux server. 

è Section 1.1, “Using VLOG with the NSS Auditing Engine,” on page 7 


+ Section 1.2, “Using Auditing Client Applications with the NSS Auditing Engine,” on page 9 


Using VLOG with the NSS Auditing Engine 


When VLOG is running, it intercepts, parses, filters, augments, and displays auditing records 
received from the NSS Auditing Engine (vigil). For information about configuring and using the 
VLOG utility, see Chapter 3, “VLOG Utility Man Page,” on page 15. 


The basic functionality includes: 


¢ Section 1.1.1, “Logged Output,” on page 7 

è Section 1.1.2, “Paths to Include or Exclude,” on page 7 

¢ Section 1.1.3, “File System Events to Monitor,” on page 8 

¢ Section 1.1.4, “NSS, NCP, and CIFS Event Sub-Types to Monitor,” on page 8 
¢ Section 1.1.5, “VIGIL Events to Monitor,” on page 8 


Logged Output 


By default, vlog sends its output to stdout in an XML record format. VLOG also supports output in 
CSV (comma-separated values) format and SENT format (for Novell Sentinel/Log Manager 
products). For information, see “VLOG Options” on page 17. 


Paths to Include or Exclude 


VLOG allows you to specify which files and directories are to be monitored. You can specify patterns 
for the file and directory names by using a defined set of search characters. You can specify which file 
paths are to be included or excluded. For information, see “Path Element Options” on page 24. For 
examples of path patterns, see “Path Element Examples” on page 25. 
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1.1.3 File System Events to Monitor 


VLOG can be configured to log various file system events on files and directories that are reported by 
the NSS Auditing Engine, including: 


+ 


+ 


+ 


+ 


+ 


delete 

create 

open 

close 

rename 

link 

metadata modified 
trustee added or removed 


inherited rights modified 


For information, see “Event Types” on page 29 and “Event Type Examples” on page 29. 


1.1.4 NSS, NCP, and CIFS Event Sub-Types to Monitor 


These NSS file system events can be audited by NSS, NCP (NetWare Core Protocol), and CIFS sub- 
types. For information, see “Event Sub-Types NSS, NCP, and CIFS” on page 30 and “Event Sub-Type 
Examples” on page 30. 


1.1.5 VIGIL Events to Monitor 


VLOG can also be configured to report various events internal to the NSS Auditing Engine, referred 
to as VIGIL events, such as: 


+ 


+ 


+ 


+ 


+ 


+ 


+ 


Starting or stopping the vigil .ko kernel module 

Starting or stopping the vigil.ncp.ko kernel module 

Starting or stopping the vigil .nss.ko kernel module 

Starting or stopping the vigil .cifs.ko kernel module 

Starting or stopping the Auditing Client (an internal construct of the NSS Auditing Engine) 
Starting or stopping the Auditing Client User (an internal construct of the NSS Auditing Engine) 


Rolling the audit record log file over to a new file when the log reaches an administrator- 
specified maximum size 


For information, see “Patterns for Filtering Records of Type VIGIL” on page 21 and “Examples for 
Filtering VIGIL Events” on page 23. 
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1.2 


1.2.1 


1.2.2 


Using Auditing Client Applications with the NSS Auditing 
Engine 


Some auditing client applications, such as Novell Sentinel and various third-party products, can 
access audited events that are reported by the NSS Auditing Engine. Information about the NSS 
Auditing Engine Software Developer Kit (SDK) is available on the NSS Auditing SDK Web site (http:/ 
/developer.novell.com/wiki/index.php/NSS_Auditing SDK). 

¢ Section 1.2.1, “Novell Sentinel Log Manager,” on page 9 


+ Section 1.2.2, “Third-Party Partner Applications,” on page 9 


Novell Sentinel Log Manager 


Novell Sentinel Log Manager can be used to collect and report on event logs from the NSS Auditing 
Client Logger utility. Novell Sentinel Log Manager runs on a 64-bit SUSE Linux Enterprise Server 
(SLES) 11 host. You can download Novell Sentinel Log Manager from the Novell Download Web site 
(http://download.novell.com/Download?buildid=woGGwp3Mab4-~). A 90-day evaluation license is 
available on the download site. For installation and usage instructions, see the Novell Sentinel Log 
Manager Documentation Web site (http://www.novell.com/documentation/novelllogmanager10/). 


Third-Party Partner Applications 


As of the OES 2 SP2 Linux release, the following Novell partners are developing applications for use 
with the NSS Auditing Engine: 


+ Blue Lance 
+ NetVision 


è Symantec 
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2.1 


2.2 


What’s New for VLOG 


This section describes changes and enhancements that were made to Novell Storage Services (NSS) 
Auditing Client Logger (VLOG) utility since its initial release for Novell Open Enterprise Server 
(OES) 2 Support Pack 2 (SP2) Linux. 

¢ Section 2.1, “What's New (July 2013 Patches),” on page 11 

+ Section 2.2, “What’s New (April 2013 Patches),” on page 11 

+ Section 2.3, “What’s New (January 2013 Patches),” on page 12 

¢ Section 2.4, “What's New (March 2012 Patches),” on page 12 

¢ Section 2.5, “What's New (September 2011 Patches),” on page 13 

+ Section 2.6, “What’s New (May 2011 Patches),” on page 13 

+ Section 2.7, “What's New for VLOG in OES 2 SP3,” on page 13 


What’s New (July 2013 Patches) 


In addition to bug fixes, the July 2013 Scheduled Maintenance for OES 2 SP3 provides the following 
enhancement: 


+ MaxFileCount: The default value for maxStreamFileCount has changed from 50 files to 
4096 files. 


What’s New (April 2013 Patches) 


Upgrade to eDirectory 8.8.7 


An upgrade to Novell eDirectory 8.8 SP7 is available in the April 2013 Scheduled Maintenance for 
OES 2 SP3. For information about the eDirectory upgrade, see TID 7011599 (http://www.novell.com/ 
support/kb/doc.php?id=7011599) in the Novell Knowledgebase. 


There will be no further eDirectory 8.8 SP6 patches for the OES platform. Previous patches for Novell 
eDirectory 8.8 SP6 are available on Novell Patch Finder (http://download.novell.com/patch/finder/ 
#familyld=112&productId=29503). 
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2.3 


2.4 


What’s New (January 2013 Patches) 


Novell Client Support for Windows 8 and Server 2012 


The January 2013 Scheduled Maintenance for OES 2 SP3 announces the availability of Novell Client 2 
SP3 for Windows with support for: 


¢ Windows 8 (32-bit and 64-bit) excluding Windows 8 RT 
+ Windows Server 2012 (64-bit) 


Novell Client 2 documentation links in this guide have been updated to reflect the release of SP3. 


Novell Client 2 SP3 for Windows documentation is available on the Web (http://www.novell.com/ 
documentation/windows_client/). Documentation for earlier versions is available under Previous 
Releases (http://www.novell.com/documentation/windows_client/#previous). 


OES Client Services Support for Windows 8 and IE 10 


In the January 2013 Scheduled Maintenance for OES 2 SP3, OES client services added support for 
user access from Windows 8 clients (excluding Windows 8 RT), with the exception of Domain 
Services for Windows (DSfW). DSfW was not tested with Windows 8 clients and does not support 
them. 


Client applications are supported to run on Windows 8 clients in the desktop user interface view. 


Web-based client access is supported for the Internet Explorer 10 Web browser in the desktop user 
interface view for Windows 7 clients and Windows 8 clients. 


OES Client Services Do Not Support Windows Server 2012 


In the January 2013 Scheduled Maintenance for OES 2 SP3, OES client services were not tested with 
Windows Server 2012 servers. Client access support for Windows Server 2012 is not planned for OES 
2 SP3. 


OES Client Services Support for Mac OS X 10.8 and Safari 6.0 


In the January 2013 Scheduled Maintenance for OES 2 SP3, OES client services added support for 
user access from Mac OS X Mountain Lion (version 10.8) clients, with the exception of Domain 
Services for Windows (DSfW) and Novell iFolder: 


+ DSfW was not tested with Mac OS X 10.8 clients and does not support them. DSfW support for 
Mac OS X 10.8 clients is planned for a future release. 


+ The iFolder client does not run on Mac OS X 10.8 clients and does not support them. 


Web-based client access is supported for the Apple Safari 6.0 Web browser on Mac OS X 10.8 clients. 
Safari 6.0 is not supported by DSfW and iFolder. 


What’s New (March 2012 Patches) 


In addition to bug fixes, the following option was added: 


+ LogFilePath: Use this option to specify a path for the vlog log file. The default log file directory 
is /var/log/audit. The vlog file is created in the specified location. 
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2.5 


2.6 


2.1 


[--logFilePath] FILE PATH 


For information, see “[--logFilePath] FILE-PATH” on page 18. 


What’s New (September 2011 Patches) 


The --maxFileCount option was added for the September 2011 Scheduled Maintenance patches for 
OES 2 SP2 and OES 2 SP3. 


In addition to bug fixes, Novell Cluster Services added support for OES 2 SP3 services and file 
systems on the SUSE Linux Enterprise Server (SLES) 10 SP4 operating system. You can upgrade to 
SLES 10 SP4 by using the move-to-sles10-sp4 patch in the SLES patch channel. 


What’s New (May 2011 Patches) 


The --logfilepatch option was added for the May 2011 Scheduled Maintenance patches for OES 2 
SP2 and OES 2 SP3. 


What’s New for VLOG in OES 2 SP3 


In addition to bug fixes, the following options are new for the NSS Auditing Client Logger utility in 
OES 2 SP3: 

+ [-b, --blockNssEventsOfVol] NSS-VOLUME-NAME 

¢ [-d, --daemonize] 

* [-k, --keepLogFiles] 

+*+ [-K, --keepClient] 


¢ [-O, --outputLaf] 

* [-q, --cursorFile] 

+ [-S, --shareClient] 

+ [-x, --closeAuditClient] 
* [-z, --exit] 

* [-Z, --libraryLinkage] 


The following options that were previously reserved for debugging are now available for general 
use: 


¢ [-c, --clientKey] CLIENT-KEY 

¢ [-C, --clientName] CLIENT-NAME 
* [-o, --outputFile] FILE-PATH 

+ [-r, --recCnt] NUMBER-OF-RECORDS 
* [-u, --userKey] USER-KEY 

+ [-U, --userName] USER-NAME 


For information about these new and revised options, see “VLOG Options” on page 17. 
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VLOG Utility Man Page 


This section provides the syntax, options, and examples for the Novell Storage Services (NSS) 
Auditing Client Logger (VLOG) utility for Novell Open Enterprise Server (OES) 2 Support Pack 3 
(SP3) Linux. This information is also available on the server as the vlog (8) man page. 

¢ “Synopsis” on page 16 

e “Availability” on page 16 

¢ “Syntax” on page 16 

+ “Description” on page 16 

e “VLOG Options” on page 17 

¢ “Filtering Records” on page 20 

¢ “Patterns for Filtering Records of Type VIGIL” on page 21 

¢ “Patterns for Filtering Records of Type NSS, NCP, and CIFS” on page 23 

¢ “Filter Pattern Examples” on page 31 


¢ “Troubleshooting” on page 32 


VLOG Utility Man Page 


15 


16 


vlog(8) 


Name 


vlog - The Novell Storage Services Auditing Client Logger utility. 


Synopsis 
/opt/novell/vigil/bin/vlog [OPTIONS] 


or information about options, see “VLOG Options” on page 17. 


Availability 


This man page is specific to vlog v1.01.10 (or later), distributed with Novell Open Enterprise Server 2 
Support Pack 3. 


Syntax 


Prior to running vlog, the NSS Auditing Engine (/etc/init .d/novell-vigil) should be started. To 
check the status of the engine, issue the following command (as the root user) in a terminal console: 


/etc/init.d/novell-vigil status 


If the status is not “Running”, the engine should be started by issuing the following command (as the 
root user) in a terminal console: 


/etc/init.d/novell-vigil start 
Run the NSS Auditing Client Logger (vlog) utility in a terminal console (generally as the root user). 
/opt/novell/vigil/bin/vlog [OPTIONS] 


Stopping vlog requires a SIGTERM signal. This can be done by issuing a Ctrl+C in the terminal where 
vlog is running, or by using the kill or killall command. For example, to kill all instances of vlog, 
enter the following in a terminal console: 


killall -s SIGTERM vlog 


IMPORTANT: If vlog terminates because of a SIGTERM signal, it instructs the NSS Auditing Engine 
(vigil) to discontinue sending auditing data records to the specific instance of vlog. 


If the application is terminated without a SIGTERM signal (such as closing the window in which vlog 
is running), the NSS Auditing Engine does not discontinue sending auditing records to the vlog 
instance. Because an auditing record log entry is sent by appending it to the log file instance, the log 
file continues to grow. Over time, the audit log files can grow to fill all available disk space. See 
“Troubleshooting” on page 32 for further details. 


Description 


Intercepts, parses, filters, augments, and displays auditing records received from the NSS Auditing 
Engine (vigil). 
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VLOG Options 


By default, vlog sends its output to stdout in an XML record format. The following options modify 
vlog’s default behavior: 


[-a, --asciiOut] 


Prints Unicode 16 (NSS paths) in \uxxxx format. Without this option, Unicode 16 is output in 
UTF-8 format. 


[-b, --blockNssEventsOfVol] NSS-VOLUME-NAME 


Blocks events (of type NSS) from the specified NSS volume from audit record stream. This 
option is followed by exactly one NSS volume name. This option can be specified multiple times 
on the command-line to specify multiple NSS volumes. 

[-c, --clientKey] CLIENT-KEY 


Sets the NSS Auditing client key to CLIENT-KEY. If this option is not specified, the default client 
key of “Zarahemla” is used. The CLIENT-KEY value is required to attach a new instance of vlog 
to a pre-existing NSS Auditing client data stream. 

[-C, --clientName] CLIENT-NAME 


Sets the NSS Auditing client name to CLIENT-NAME. The CLIENT-NAME value length is limited to 
1 to 15 bytes long, and must be unique on the system. 


If this option is not specified, vlog generates a unique, random NSS Auditing client name (and 
is not limited to the 1 to 15-byte-length limit of this option). The CLIENT-NAME value is required 
to attach a new instance of vlog to a pre-existing NSS Auditing client data stream. 


[-d, --daemonize] 


Uses daemon mode, which causes vlog to run in the background. All output directed to stdout 
or stderr is eliminated. 


[-£, --format] [NUL, XML, CSV, SENT] 
Sets the output format using the specified format as follows: 
NUL 
No output. 
XML 
(Default) Extensible Markup Language (XML) format. 
CSV 
Comma Separated Values (CSV) format. 
SENT 
Format compatible with Novell Sentinel/Log Manager products. 


[-F, --filterFile] FILE-PATH 


Specifies a path to a filter file that contains filter patterns to be applied to the auditing records 
that are received from the NSS Auditing Engine (vigil). This option can be specified multiple 
times on the command-line to specify multiple filter file paths. See “Filtering Records” on 
page 20 for further details. 


[-h, --help] 
Causes vlog to display a help page, then terminate. 
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[-k, --keepLogFiles] 


Keeps unprocessed log files upon program termination. Log files represent the auditing data 
stream between the NSS Auditing Engine and vlog. The vlog files are stored in directory 


/var/log/audit/vlog/{clientName } / 
If this option is not specified, vlog destroys this directory, along with all of its content (including 
the cursor file, if it is implemented), when vlog terminates. 

[-K, --keepClient] 


Sets the NSS Auditing client flag VIGIL_CLIENT_F_KEEP, which causes vlog to leave the NSS 
Auditing client data stream open upon normal termination, and creates an orphaned NSS 
Auditing client data stream. If this option is not specified, the VIGIL_CLIENTF_KEEP flag is not 
set, causing the NSS Auditing client data stream to close upon normal vlog termination. 


[-1, --size] SIZE-IN-BYTES 
Limits the NSS Auditing client’s audit log file to SIZE- IN-BYTES (before rolling to a new file). A 
SIZE-IN-BYTES of zero [0] indicates “no limit”. By default, the size is 262144 bytes. 
[--logFilePath] FILE-PATH 
Specify the vlog log file path. The default log file location is /var/log/audit. The vlog file will 
be created in the specified location. 
[-m, --maxFileCount] maxStreamFileCount 


Limit the vigil auditing client’s log files count. The default value for the maxStreamFileCount is 
4096 files. After the number of stream files reaches the maxStreamFileCount value, the oldest 
audit streamfile is deleted to accommodate the newest data. 


[-o, --outputFile] FILE-PATH 


Redirects vlog output from stdout to the specified FILE- PATH. 


[-O, --outputLaf] 


Causes vlog to send output to the Linux Auditing Framework (LAF). This option does not cause 
output to stop being sent to stdout (or as redirected by the [-o, --outputFile] option). 
Rather, this option causes output to also be sent to LAF. 


[-p, --pattern] FILTER-PATTERN 


Adds a filter pattern, which filters records in the NSS Auditing data stream from vlog output. 
This option is followed by exactly one filter pattern. This option can be specified multiple times 
on the command-line to indicate multiple filter patterns. See “Filtering Records” on page 20 for 
further details. 


[-q, --cursorFile] 


Causes vlog to implement a cursor file to track the current position in the NSS Auditing client 
data stream. The memory-mapped file contains both the path of the current audit log file being 
processed, as well as the offset of the audit record being processed in that file. If vlog 
unexpectedly terminates, the cursor file preserves this information, allowing a future instance of 
vlog to reconnect to the NSS Auditing client data stream, and continue processing records in the 
stream, in the same audit log file, and at the same record offset, where the prior (terminated) 
vlog instance had stopped. The cursor file is stored in the same directory as the audit log file(s): 


/var/log/audit/vlog/{clientName } / 
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[-r, --recCnt] NUMBER-OF-RECORDS 


Limits the NSS Auditing client’s audit log file to NUMBER-OF-RECORDS records before rolling to a 
new file. A NUMBER-OF-RECORDS value of zero [0] indicates “no limit”. If this option is not 
specified, the default value for NUMBER-OF-RECORDS is zero [0]. 

[-S, --shareClient] 


Causes vlog to set the NSS Auditing client flag: VIGIL_CLIENT_F_SHARE. This flag allows 
another instance of vlog to attach to the NSS Auditing data stream. Without this option, other 
instances of vlog are unable to connect the the NSS Auditing data stream created by this client. 
[-u, --userKey] USER-KEY 
Sets the NSS Auditing client user key to USER-KEY. If this option is not specified, the default 
value of “Teancum” is used as the client user key. 
[-U, --userName] USER-NAME 
Sets the NSS Auditing client user name to USER-NAME. If this option is not specified, vlog 
generates a unique, random, NSS Auditing client user name for the vlog instance. 
[-v, --incverbose] 


Debugging option. Increments the vlog’s (error and warning) verbose level by one, and reports 
the verbose level. Use the -v option to specify a verbose level. Verbose messages are sent to 
stderr, and to the system message log. 


[-V, --setverbose] VERBOSE-LEVEL 


Debugging option. Sets vlog’s (error and warning) verbose level to the specified value. Verbose 
messages are sent to stderr, and to the system message log. Each level includes the messages of 
the lower levels. 


Verbose Levels Description 

60 or greater vlog debugging messages. 

50 or greater Filter-parsing notes. 

AO or greater Program-warning notes (mostly due to filter pattern issues). 

30 or greater Filter-related notes (why audit records match, or are excluded, by filters). 
20 or greater Internal modes are noted (mostly cursor-file related modes). 

10 or greater Configuration changes are noted (as per command-line options). 

0 or greater Normal (default). Only fatal errors are emitted. 

Less than 0 Silent. No messages are emitted. 


For example, to set the verbose level to 22, enter 
/opt/novell/vigil/bin/vlog -V 22 


The verbose messages for fatal errors, configuration changes, and internal modes are sent to 
stderr. 
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[-x, --closeAuditClient] 


Closes the specified auditing client data stream before opening (or re-opening) the NSS 
Auditing client data stream. Requires that the [-C, --clientName] and [-c, --clientKey] 
options be previously specified on the command line. 


If this option is not specified, vlog first attempts to re-attach to a pre-existing NSS Audit data 
stream; and opens a new NSS Audit data stream if the attempt to attach to a pre-existing stream 
fails. 

[-z, --exit] 
Causes vlog to terminate immediately. This option is used internally by vlog when vlog calls 
itself recursively (as does the [-Z --libraryLinkage] option). 

[-Z, --libraryLinkage] 


Debugging option. Causes vlog to display libvigil linkage information, and terminates. 


--filterTest 


Filter pattern debugging option. Causes vlog to validate filter patterns, and terminates. Filter 
patterns specified with the [-p, --pattern] and [-F, --filterFile] options are validated. 


Filtering Records 


Auditing records can be filtered by the NSS Auditing engine (upstream), or can be filtered by vlog 
(downstream). 


The [-b, --blockNssEventsOfVol] option is an example of filtering by the NSS Auditing engine. 
The benefit of this (upstream) filtering method is that a drastic reduction of data in the client’s data 
stream can be realized. 


The vlog application supports (downstream) filtering of events, as they are received from the NSS 
Auditing Engine (vigil), by using filter patterns. Filter patterns are rules for filtering events. You can 
use either of the following methods to specify filter patterns: 


+ A filter file of filter patterns (consisting of one filter pattern per line) can be specified with the [- 
F, --filterFile] command line option. This option must be followed by a [path/] filename. 


A filter file can contain comment lines. Comment lines begin with a pound sign (#) or a double 
forward slash (//). 


+ Individual filter patterns can be specified with the [-p, --pattern] command line option. This 
option must be followed by a quoted filter pattern. 


There are two kinds of patterns that can be specified from a filter file by using the [-F, -- 
filterFile] option, or specified individually in the command by using the [-p, --pattern] 
option. 


¢ Patterns for filtering records of type VIGIL 
¢ Patterns for filtering records of type NSS, NCP, and CIFS 


Each of these pattern types are discussed below. 
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Patterns for Filtering Records of Type VIGIL 


Records of type VIGIL represent operations internal to the NSS Auditing Engine. By default, records 
of type VIGIL are not filtered from vlog’s output. 


+ “START” on page 21 

e “STOP” on page 21 

e “NCP_START” on page 22 

e “NCP_STOP” on page 22 

+ “NSS_START” on page 22 

+ “NSS_STOP” on page 22 

+ “CIFS_START” on page 22 

e “CIFS_STOP” on page 22 

e “CLIENT_START” on page 22 
e “CLIENT_STOP” on page 22 
e “USER_START” on page 22 
+ “USER_STOP” on page 22 

e “ROLL” on page 22 

+ “ALL” on page 22 


Filter Syntax for Type VIGIL Records 


The general pattern for filtering records of type VIGIL is: 


: [+ or -] KEYWORD [[+ or -] KEYWORD] 


A pattern used to filter records of type VIGIL has a colon (:) as the first character of the pattern. 


The colon is followed by one or more keywords that represent records that are to be included or 
excluded from the vlog output. Multiple keyword entries are separated by a space. Keywords are 
applied in the order that they appear in the filter pattern. 


The specified keyword causes specific records of type VIGIL to be included or excluded from the 
output. Each keyword is preceded by an exclude/include character that indicates whether the records 
that match the specified pattern should be excluded or included in the vlog output. A minus (-) 
character indicates that the records that are represented by the keyword that follows it should be 
excluded from the vlog output. A plus (+) character indicates that the records that are represented by 
the keyword that follows it should be included in the vlog output 


Filter Keywords for Type VIGIL Records 


The keywords for VIGIL record types are as follows: 
START 


Each time the vigil .ko kernel module is loaded, a “Start” record is sent to all auditing clients. 


STOP 


Each time the vigil .ko kernel module is unloaded, a “Stop” record is sent to all auditing 
clients. 
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NCP_START 


Each time the vigil .ncp.ko kernel module is loaded, an “NCP started” record is sent to all 
auditing clients. 


NCP_STOP 


Each time the vigil .ncp.ko kernel module is unloaded, an “NCP stopped” record is sent to all 
auditing clients. 


NSS_START 


Each time the vigil .nss.ko kernel module is loaded, an “NSS started” record is sent to all 
auditing clients. 


NSS_STOP 


Each time the vigil .nss.ko kernel module is unloaded, an “NSS stopped” record is sent to all 
auditing clients. 


CIFS_START 


Each time the vigil.cifs.ko kernel module is loaded, a “CIFS started” record is sent to all 
auditing clients. 


CIFS_STOP 


Each time the vigil.cifs.ko kernel module is unloaded, a “CIFS stopped” record is sent to all 
auditing clients. 


CLIENT_START 


Each time a new Auditing Client (an internal NSS Auditing Engine construct) is activated, a 
“Client started” record is sent to all auditing clients. 


CLIENT_STOP 


Each time a new Auditing Client (an internal NSS Auditing Engine construct) is deactivated, a 
“Client stopped” record is sent to all auditing clients. 


USER_START 


Each time a new Auditing Client User (an internal NSS Auditing Engine construct) is activated, 
a “User started” record is sent to all auditing clients. 


USER_STOP 


Each time a new Auditing Client User (an internal NSS Auditing Engine construct) is 
deactivated, a “User stopped” record is sent to all auditing clients. 


ROLL 


The NSS Auditing Engine (vigil) appends auditing records to a file in a directory specified by 
the auditing client application. The auditing client application can also specify the maximum 
size of the file in which auditing records are placed, and can optionally specify that when the file 
maximum size has been reached, the NSS Auditing Engine creates a new file (in the specified 
directory) and begins appending audit records to the new file. 


When the NSS Auditing Engine creates a new file (in which audit records will be placed), it 
generates a “Roll” audit record, and appends it (as the last record) to the previously used file. 
The record contains the full (Linux) path of the newly created file, where audit record processing 
should continue. Roll records are sent only to the specifically affected auditing client, not to all 
auditing clients. 


ALL 
Used to indicate all records of type VIGIL. 
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Examples for Filtering VIGIL Events 


The following are examples of how records of type VIGIL might be filtered from the vlog output by 
specifying individual patterns at the command line prompt: 
/opt/novell/vigil/bin/vlog -p":-all" 

Specifies a filter pattern that excludes all records of type VIGIL from the vlog output. 


/opt/novell/vigil/bin/vlog -p":-all +ro11" 
Specifies a filter pattern that excludes all records of type VIGIL from the vlog output, except 
Roll records, which are shown in the vlog output. 

/opt/novell/vigil/bin/vlog -p":-roll -user_ stop -user_ start" 
Specifies a filter pattern that excludes Roll records, User stopped records, and User started 


records from the vlog output. 


Keywords are applied in the order that they appear in the filter pattern. For example, the following 
patterns are not equivalent: 
/opt/novell/vigil/bin/vlog -p":-all +roll" 
Specifies a filter pattern that excludes all records of type VIGIL, but then allows the Ro11 record. 
Of all the VIGIL type records, only the Rol1 events are output. 
/opt/novell/vigil/bin/vlog -p":+roll -all" 


Specifies a filter pattern that allows the Ro11 record, but then excludes all records of type VIGIL. 
No VIGIL type records (of any event type) are output. 


Patterns for Filtering Records of Type NSS, NCP, and CIFS 


Records of type NSS, NCP, and CIFS represent operations on files. 


+ “| (exclamation mark character)” on page 24 
e “- (minus character)” on page 24 


+ “+ (plus character)” on page 24 


Filter Syntax for Type NSS, NCP, and CIFS Records 


[negation_element] path_element (event [event...]) 


Patterns for filtering records of type NSS, NCP and CIFS consist of three elements in the following 
order: 


1. Negation Element: Indicates whether records that match the specified filter patterns that follow 
are to be included or excluded from the auditing log. The negation element, if present, is 
immediately followed by the path element. 


2. Path Element: A filename-matching pattern or directory-name-matching pattern that specifies 
directories or files to include or exclude from the audit log. The path element is delimited from 
the event element by a [space or tab] character. 


3. Event Element: A list of NSS file system events enclosed in parenthesis to include or exclude 
from the audit log. 


The options for each of the elements is described below. 
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Negation Element Options 


The negation element is a single character that is used to indicate whether the specified filter patterns 
are to be included or excluded from the auditing log. 


The negation element is a single character that precedes the path element: 


! (exclamation mark character) 
Used to negate the filter patterns specified in a filter file when the command line filter file option 
[-F, --filterFile] is used. 

- (minus character) 
Used to exclude (negate) a filter pattern that is specified on the command line when the filter 
pattern option [-p, --pattern] is used. 

+ (plus character) 
Used to include (non-negate) a filter pattern that is specified on the command line when the 
filter pattern option [-p, --pattern] is used. 


The negation element, if present, is immediately followed by the path element. 


Audit records that match a negated filter pattern are excluded from the vlog output. Specifically, 
vlog uses the following logic to include and exclude audit records from being output: 


1. If there are no include (non-negated) filter patterns specified (either in the filter pattern [-p, -- 
pattern] option or the filter file [-F, --f£ilterFile] option), include all audit records in the 
output. 


2. If one or more filter patterns are specified: 


a. If the audit record does not match any of the include (non-negated) filter patterns, do not 
output the record. 


b. If the audit record is not excluded by 2a above, and if the audit record matches any of the 
exclude (negated) filter patterns, do not output the record. 


Path Element Options 


The path element of the filter pattern is a filename-matching pattern or directory-name-matching 
pattern that specifies directories or files to include or exclude from the audit log. 


The path element immediately follows the negation element (if present). 


The path element is delimited from event element by a [space or tab] character. Thus, if a path 
element contains a space or tab character, you must do one of the following: Enclose the path element 
in quotation marks (such as "VOL1:/xyz dir/"), or escape each space or tab character within the 
path element by preceding it with a backslash (\) character (such as VOL1: /xyz\ dir/).The event 
element follows the path element delimiter (space character or tab character). 

¢ “Path Element Wildcard Characters” on page 24 


+ “Path Element Examples” on page 25 


Path Element Wildcard Characters 


The syntax for the filename and directory name pattern allows for the following wildcard characters: 
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Using the question mark (?) wildcard matches any single character, except for a forward slash 
character (/). 


Using the single asterisk (*) wildcard matches any sequence of zero or more characters, except 
for a forward slash character (/). 


+ 


Using the double asterisk (**) wildcard matches any sequence of zero or more characters, 
including a forward slash character (/). 


[chars] 
Using the [chars] wildcard matches any single character in chars. If chars contains a sequence 
of the form a-b, then any character between a and b (inclusive) will match. The forward slash (/ 
) cannot be specified within chars. A leading or trailing minus character (-) simply includes the 
minus as one of the characters in the group. 

\x 
Using the backslash before a character matches the character specified, except for the forward 
slash character (/). 

{a,b,...} 


Using the list of strings matches any of the strings a, b, and so on. 


NOTE: Generally, the forward slash character (/) must be matched explicitly. The only exception is in 
the use of a double asterisk (**). 


For path element examples, see “Path Element Examples” on page 25. 


Path Element Examples 
This section provides examples of path elements and a description of how each might be applied. 


/al-e]?/joke 


Filename Matches (Yes or No) 

/a-h/joke Yes. 

/adh/joke No. The [e-] group only includes “e” and 
“-", not “da”. 

/aeh/joke Yes. 


/alc\-e] ?/joke 


Filename Matches (Yes or No) 

/a-h/joke Yes. 

/ach/joke Yes. 

/adh/joke No. The [c\-e] group does not include “q”. 
/aeh/joke Yes. 
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/ald-£]?/joke 
Filename 
/aez/joke 
/agf/joke 

/ald-fs-u] ?/joke 
Filename 
/aef/joke 
/aft/joke 

/aldef] ?/joke 
Filename 
/ad/joke 
/aef/joke 
/agf/joke 

/aldef] [hij]?/joke 
Filename 
/afh/joke 
/afhz/joke 
/agfh/joke 

/ale-]?/joke 
Filename 
/a-h/joke 
/aeh/joke 


/afh/joke 


/a* 
Filename 
/a/b/c/da 
/a*?/a 
Filename 


/a/a 


/ab/a 

/abb/a 
/a*?\/a 

Filename 


/ab/a 


Matches (Yes or No) 
Yes. 


No. Need character from [d-f] group. 


Matches (Yes or No) 
Yes. 


Yes. 


Matches (Yes or No) 
No. No character matches the “?”. 
Yes. 


Yes. 


Matches (Yes or No) 
No. No character matches the “?”. 
Yes. 


No. Need character from [def] group. 


Matches (Yes or No) 
Yes. 
Yes. 


No. The [e-] group only includes “e” 
and “-”, not “f”. 


Matches (Yes or No) 


No. “*” does not match the “/” character. 


Matches (Yes or No) 


No. The “?” in the pattern does not 
match “/”. 


Yes. 


Yes. 


Matches (Yes or No) 


No. An escaped “/” in the pattern 
cannot match “/”. 
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/a** 


Filename Matches (Yes 
/a/b/c/d Yes. 
/a**?/a 
Filename Matches (Yes 
/a/a 
/a/b/c/a Yes. 
/a**/ 
Filename Matches (Yes 
/a/b/c/d No. Must end 
/a/b/c/d/ Yes. 
/a*/ 
Filename Matches (Yes 
/a/b/c/da No. “*” does 
/a/*/b/c/**/e/£ 
Filename 
/a/b/b/c/d/d/d/d/e/£ 
/a/b/b/c/d/d/d/d/e/f/e/£f/e/£f 
/a/b/b/c/d/a/d/e/£/ 
/a/b/c/d/e/e/e/e/t 
/a/xxx/b/d/e/e/e/e/ft 
/a/*/b/c/**/e/£/ 
Filename Matches 
/a/b/b/c/da/d/d/d/e/t 
/a/*/d/e 
Filename Matches (Yes 
/a/d/e/ No. Must end 
/a/def/d/e Yes. 
/a/def/d/e/ No. Must end 


abc, {,,,{,%,,},,,}de£ 


Filename Matches (Yes 


abc, def Yes. 


or No) 


or No) 


No. No character matches the “?”. 


or No) 


with the “/” character. 


or No) 


not match the “/” character. 


Matches (Yes or No) 
Yes. 
Yes. 


No. Must end with the 
“f” character. 


No. Need something between 
a/ and /b/c. 


No. /a/xxx/b must be 
followed by /c. 


(Yes or No) 


No. Must end with the “/” character. 


or No) 
with the “e” character. 
with the “e” character. 


or No) 
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abc, }{,,,{,%,,},,,}}def 


Filename 


abc, }}def 


abc{,,,{,X,,},,,}def 


Filename 
abcdef 
abcxdef 
abcydef 
abc{}def 
Filename 


abcdef 


Matches (Yes or No) 


Yes. 


Matches (Yes or No) 
Yes. 
Yes. 


No. Nothing after “abc” allows “y”. 


Matches (Yes or No) 


Yes. 


abc*{def,xyz,hij, {a* [d-g] ,b* [7-9] }z}qrt*m 


Filename 
abcadzgqrtm 
abcaezgqrtm 


abcb6ézqrtm 


abcb8zqrtm 


abcdefadzqrtm 


abcdefdefqrtm 


abcdefqrtm 
abchijqrtm 


abcxyqrtm 


abcxyzdefqrtm 


abcxyzgqrtm 


Matches (Yes or No) 
Yes. 
Yes. 


No. Nothing after “abcd” would 
allow “6”. 


Yes. 
Yes. 
Yes. 
Yes. 
Yes. 


No. Nothing after “abc” would 
allow “xyq”. 


Yes. 


Yes. 


For simplicity, the NSS volume name was omitted from the above examples. NSS audit records 
emitted by the NSS Auditing Engine (vigil) have paths that include the NSS volume name. In order 
to match these NSS audit records, the NSS volume name must be specified as part of the path 
element, similar to the following: 


VOL1:/a*?/a 
Filename 
VOL1:/ab/a 

VOL2:/a*?/a 


Filename 


VOL1:/abb/a 


Matches (Yes or No) 


Yes. 


Matches (Yes or No) 


No. 
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VOL2:/a**?/a 
Filename Matches (Yes or No) 


VOL2:/a/b/c/a Yes. 


Event Element Options 


The event element consists of a list of events enclosed in parentheses. The events listed in the 
parentheses are delimited by a [space or tab] character. 


The event element follows the path element delimiter (space character or tab character). 


+ “Event Types” on page 29 

+ “Event Type Examples” on page 29 

+ “Event Sub-Types NSS, NCP, and CIFS” on page 30 
+ “Event Sub-Type Examples” on page 30 


Event Types 


Valid event options are: 


DELETE 


DDTRUSTEE 
EMOVETRUSTEE 
SETINHERITEDRIGHTS 
LINK 


The asterisk character (*) can be used to specify all events. 


The exclamation mark (!) or minus (-) characters can precede an event name to exclude (negate) 
events of that type. 


The event options can occur in any order in the parenthesis. When parsing an event list, a list of 
included (non-negated) events is first created, then the excluded (negated) events (that is, those with 
the [! or -] exclusion character in front of them) are removed from that list. 


Event Type Examples 


The following are examples of event element pattens and a description of the results you can expect 
for each one: 


(*) 
Includes all elements. 


(OPEN CLOSE RENAME) 


Includes only the OPEN, CLOSE, and RENAME events. 
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(* !OPEN) 
Includes all events except OPEN. 
This list could also have been specified as (!OPEN *). All excluded (negated) events are 
removed after first creating a list of events that are included (non-negated). 
(OPEN CLOSE ! RENAME) 
Includes only the OPEN and CLOSE events. 
The ! RENAME is not necessary here because it was never included. Typically, you add the 
excluded events in the list only when you use the asterisk (*) to specify all events. 
(!* OPEN CLOSE) 
Excludes all events. No events are included because all events were excluded. 
This example illustrates that you can put the [! or -]character in front of the asterisk (*). 


The OPEN and CLOSE event names have no effect because all excluded (negated) events are 
processed after the included (non-negated) events. In effect, this list includes the OPEN and CLOSE 
events, then excludes all events. 


(OPEN !OPEN CLOSE) 
Includes only the CLOSE event. 
The OPEN and !OPEN cancel each other out. 


Event Sub-Types NSS, NCP, and CIFS 


Each event in the list can also specify a list of event sub-types to include or exclude. These are 
specified in parentheses immediately after the operation name. Event sub-types are delimited by a 
space or tab. 


Valid event sub-types are: 


NSS 
NCP 
CIFS 


The asterisk (*) can be used to include all event sub-types.If no sub-types are specified, they are all 
included by default. 


The exclamation mark (!) or minus (-) characters can precede a sub-type to exclude it. 


The sub-types can occur in any order in the parentheses. When parsing a sub-type list, a list of 
included (non-negated) sub-types is created first, then the excluded (negated) sub-types (that is, 
those with the [! or -] exclusion character in front of them) are removed from that list. 


Event Sub-Type Examples 


This section provides examples of event element patterns and a description of how each might be 
applied. 


(*) 
Matches all events. 


(OPEN) 
Matches all OPEN events (including the NSS, NCP, and CIFS sub-types). 
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(OPEN CLOSE) 
Matches only the OPEN and CLOSE events (including the NSS, NCP, and CIFS sub-types). 


(OPEN(NSS) CLOSE (NSS) ) 
Matches only the NSS OPEN and NSS CLOSE events. 


(* !OPEN) 
Matches all events (including the NSS, NCP, and CIFS sub-types) except the OPEN event. 


(* !OPEN(NSS) !CLOSE(NSS) ) 
Matches all events except the NSS OPEN and NSS CLOSE events. 


(* !OPEN(* !INSS) !CLOSE(* !NSS) ) 


Matches all events except the non-NSS OPEN and non-NSS CLOSE events. 


Filter Pattern Examples 


This section provides examples of filter patterns and a description of how each might be applied. 
These examples are specific to entries in the filter file (when using the [-F, --filterFile] option). 
VOL1:/abc/* (*) 


Include: Matches all events on any file in the voL1: /abc directory. The events on files in 
subdirectories are not included. 


VOL1:/abc/** (*) 
Include: Matches all events on any file in the VOL1: /abc directory and any of its subdirectories. 


VOL1:/abc/* (OPEN CLOSE) 


Include: Matches only OPEN and CLOSE events on any file in the VOL1: /abc directory. The events 
on files in subdirectories are not included. 


VOL1:/abc/* (* !OPEN ! CLOSE) 
Include: Matches all events except the OPEN and CLOSE events on any file in the VOL1: /abc 
directory. 

VOL1:/abc/* (OPEN(NSS) CLOSE (NSS) ) 
Include: Matches only NSS OPEN and NSS CLOSE events on any file in the VOL1: /abc directory. 


VOL1:/abc/* (* !OPEN(NSS) !CLOSE(NSS) ) 
Include: Matches all events except the NSS OPEN and NSS CLOSE events on any file in the VOL1: / 
abc directory. 
VOL1:/abc/* (* !OPEN(* !NSS) !CLOSE(* !NSS) ) 
Include: Matches all events except the non-NSS OPEN and non-NSS CLOSE events on any file in 
the VOL1: /abc directory. 
!VOL1:/abc/def (*) 
Exclude: Matches all events for the VOL1: /abc/def file. This exclusion causes all events on the 
VOL1:/abc/def file to be dropped (assuming that they had been included by an include rule). 
!VOL1:/abc/def (OPEN) 


Exclude: Matches OPEN events for the VOL1: /abc/def file. This exclusion effectively excludes 
OPEN events on the VOL1: /abc/def file. 
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VOL1:/abc/def (* !OPEN) 


Include: Matches all events except the OPEN event on the VOL1: /abc/def file. This is another 
way to exclude OPEN events on the VOL1: /abc/def file. 


!VOL1:/abc/def (* !OPEN) 


Exclude: Matches all events except the OPEN event on the VOL1: /abc/def file. This effectively 
excludes all events except the OPEN event on the VOL1:/abc/def file (assuming they had been 
included by an include rule). 


"VOL1:/xyz dir/*" (*) 


Include: Matches all events on any file in the “VOL1:/xyz dir” directory. Quotation marks are 
used to enclose the pattern when the path contains spaces. Otherwise, the space in “xyz dir” is 
treated as a delimiter between the pattern and the events. 


VOL1:/xyz\ dir/* (*) 


Include: Matches all events on any file in the “VOL1: /xyz dir”. A backslash (\) is used to escape 
the space character in the directory name “xyz dir”. Otherwise, the space in “xyz dir” is 
treated as a delimiter between the pattern and the operations. 


Troubleshooting 


Orphaned Auditing Client 


The NSS Auditing Engine (vigil) implements an interface that allows user-space applications (such 
as vlog) to establish Auditing Clients. When doing so, the user-space application (such as vlog) 
specifies various parameters, such as a directory in the Linux file system where the auditing record 
log files are placed. 


After an Auditing Client has been established, the NSS Auditing Engine (vigil) architecture has 
been designed to store the auditing records in files in the directory specified by the auditing 
application (such as vlog or Novell Sentinel). 


Records are stored in the files until the Auditing Engine is instructed to stop, or until the NSS 
Auditing Engine is stopped. If the auditing application terminates (perhaps unexpectedly), and the 
NSS Auditing Engine is therefore not instructed to stop sending records to the Auditing Client’s 
directory, the NSS Auditing Engine continues to store auditing records in the Auditing Client’s 
specified directory. 


An Auditing Client that does not have a live user-space application associated with it is called an 
Orphaned Auditing Client. The architecture of the NSS Auditing Engine supports this mode of 
operation. This mode facilitates the continued collection of auditing data, even if the auditing 
application temporarily fails. The NSS Auditing Engine architecture assumes that the auditing 
application will eventually be restarted, and will then re-connect to the auditing stream. 


The default configuration of the vlog application does not attempt to re-connect to an orphaned 
Auditing Client from a previous failed vlog session. If vlog is not properly terminated by the 
SIGTERM signal, an Orphaned Auditing Client is created. 


IMPORTANT: If Orphaned Auditing Clients are not stopped, they continue until they fill the Linux 
file system partition with auditing data. 


You can use one of the following methods to eliminate Orphaned Auditing Clients: Start and stop (or 
restart) the NSS Auditing Engine, or stop a specific instance of the Auditing Client. Each method is 
described below. 
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Method 1: Stop and Start (or Restart) the NSS Auditing Engine 

To do this, enter the following commands as the root user at a terminal console prompt: 
/etc/init.d/novell-vigil stop 

/etc/init.d/novell-vigil start 

Or you can enter the following command to restart the engine: 


/etc/init.d/novell-vigil restart 


This method stops all Auditing Clients, including those that were not associated with the vlog 
application. This might be undesirable because some auditing records of file-system events will not 
be logged to the various auditing applications. 


Method 2: Stop a Specific Auditing Client Instance 


By default, all active Auditing Clients for the NSS Auditing Engine can be listed by listing the 
directory content of the /sys/audit/vigil directory. 


For example, enter the following command as the root user at a terminal console prompt: 
11 /sys/audit/vigil 


All active Auditing Clients are represented in the listing as directories named “CLIENT_*”. Using the 
[-C, --clientName] option, vlog Auditing Clients can be given a name such as “JOHN”, and the 
specific entry in the /sys/audit/vigil/ directory will be “CLIENT_JOHN”. If the [-c, -- 
clientName] option is not specified, vlog generates a random Auditing Client name. Generated 
name entries are prefixed with “CLIENT_VLOG_”, followed by the process ID that created the client, 
followed by a numeric value that represents the date and time that the specific Auditing Client was 
started. 


For example, a vlog generated client name might be: 
CLIENT VLOG 31691-1264200226 


In order to stop a specific instance of a vlog Orphaned Auditing Client, that client’s entry in /sys/ 
audit/vigil/ must be accurately identified. The root user can stop a specific instance of an 
auditing client by writing a STOP command to the client’s CONTROL file (found in that client’s 
directory). The ClientKey must also be specified as an additional credential. This limits closing an 
Auditing Client to a root user who knows the Auditing Client’s ClientKey. The ClientKey can be 
specified by using vlog’s [-c, --clientKey] option. Ifthe [-c, --clientKey] option is not 
specified, vlog uses the default client key “Zarahemla”. 


For example, enter the following command as the root user at a terminal console prompt: 


echo 'CLOSE ClientKey="Zarahemla"' > \ 
> /sys/audit/vigil/CLIENT VLOG _31691-1264200226/CONTROL 


IMPORTANT: When an Auditing Client is closed, the client’s directory is removed. You should not 
close an Auditing Client if the client directory is the current working directory. 


Authors 


Copyright 2009-2012, Novell, Inc. All rights reserved. http://www.novell.com (http:// 
www.novell.com) 
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See Also 


To report problems with this software or its documentation, visit the Novell Bugzilla Web site (http:// 
bugzilla.novell.com). 
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A.1 


A.1.1 


Documentation Updates 


This section contains information about documentation content changes made to the Novell Storage 
Services Services Auditing Client Logger (VLOG) Utility Reference since the initial release for Novell 
Open Enterprise Server (OES) 2 Support Pack 2 (SP2). 


This document was updated on the following dates: 
¢ Section A.1, “July 2013 Scheduled Maintenance,” on page 35 
¢ Section A.2, “April 2013 Scheduled Maintenance,” on page 36 
¢ Section A.3, “January 2013 Scheduled Maintenance,” on page 36 
¢ Section A.4, “October 18, 2012,” on page 36 
¢ Section A.5, “March 2012 Scheduled Maintenance,” on page 36 
+ Section A.6, “September 2011 Scheduled Maintenance,” on page 37 
* Section A.7, “May 2011 Scheduled Maintenance,” on page 37 
¢ Section A.8, “December 2010 (OES 2 SP3),” on page 38 


July 2013 Scheduled Maintenance 


Changes were made to the following sections. The changes are explained below. 


¢ Section A.1.1, “VLOG Utility Man Page,” on page 35 


¢ Section A.1.2, “What’s New or Changed in the NSS Auditing Client Logger (VLOG) Utility,” on 


page 36 
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Location Change 
“[-m, --maxFileCount] maxStreamFileCount” on The default value for maxStreamFileCount changed 
page 18 from 50 files to 4096 files. 
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A.1.2 What’s New or Changed in the NSS Auditing Client Logger (VLOG) 
Utility 


Location Change 


Section 2.1, “What’s New (July 2013 Patches),” on This section is new. 
page 11 


Section 2.1, “What’s New (July 2013 Patches),” on This section is new. 
page 11 


A.2 April 2013 Scheduled Maintenance 
Updates were made to the following section. The changes are explained below. 
A.2.1 What's New or Changed for Novell Cluster Services 


Location Change 


Section 2.2, “What’s New (April 2013 Patches),” on This section is new. 
page 11 


A.3 January 2013 Scheduled Maintenance 


Updates were made to the following section. The changes are explained below. 


A.3.1 What's New or Changed for Novell Cluster Services 


Location Change 


Section 2.3, “What's New (January 2013 Patches),” on This section is new. 
page 12 


A.4 October 18, 2012 


A typographical error was corrected for the options listed in “[-f, --format] [NUL, XML, CSV, SENT)” 
on page 17. 


A.5 March 2012 Scheduled Maintenance 


Changes were made to the following sections. The changes are explained below. 


+ Section A.5.1, “VLOG Utility Man Page,” on page 37 
+ Section A.5.2, “What’s New for VLOG,” on page 37 
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A.5.1 


A.5.2 


A.6 


A.6.1 


A.6.2 


A.7 
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Location Change 


“VLOG Options” on page 17 Added the - -logFilePath option. 


What’s New for VLOG 
Location Change 
“What's New (March 2012 This section is new. 


Patches)” on page 12 


September 2011 Scheduled Maintenance 


Changes were made to the following sections. The changes are explained below. 


* Section A.6.1, “VLOG Utility Man Page,” on page 37 
* Section A.6.2, “What’s New for VLOG,” on page 37 
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Location Change 


“VLOG Options” on page 17 Added the --maxFileCount option. 


What’s New for VLOG 


Location Change 


“What's New (September 2011 This section is new. 
Patches)” on page 13 


May 2011 Scheduled Maintenance 


Changes were made to the following sections. The changes are explained below. 


è Section A.7.1, “VLOG Utility Man Page,” on page 38 
+ Section A.7.2, “What’s New for VLOG,” on page 38 
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A.7.1 


A.7.2 


A.8 


A.8.1 


A.8.2 
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Location 


“VLOG Options” on page 17 


Change 


Added the - -logfilepath option. 


What’s New for VLOG 
Location Change 
“What's New (May 2011 This section is new. 


Patches)” on page 13 


December 2010 (OES 2 SP3) 


Changes were made to the following sections. The changes are explained below. 


¢ Section A.8.1, “VLOG Utility Man Page,” on page 38 
+ Section A.8.2, “What’s New for VLOG,” on page 38 
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Location 


“VLOG Options” on page 17 


Change 


Entries were added for the new options as described in Section 2.7, “What’s 
New for VLOG in OES 2 SP3,” on page 13. Definitions were also expanded for 
several entries. 


What’s New for VLOG 


This section is new. 
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